Some ramblings from an old hack

This release has built into a very large release due to much going on in the lives of those involved. It includes some major changes (hopefully none that break too much) so please release to your production servers with the usual caution.

I’m a fair bit late on this one – 2.8.11 has been on npm for a while. My apologies to the team for letting a blog post and email slip. There’s been some more fantastic changes in this release related to TLS, specifically adding OCSP stapling. Full change list below.

This release pretty much signifies exactly why I love truly open source software – the release happened almost entirely in my absence, and I’m enormously grateful for the talented developers that work so hard and diligently on this project.

The main focus of this release has been some huge improvements to our TLS support from a contributor only known as “typingArtist” – ah the mysteries of the internet – we may never know your real life identity but we remain grateful – you are Haraka’s “Batman” this release. Many further thanks to Matt Simerson who coordinated this release, and continues to contribute fantastic work to this project. We don’t forget our other contributors, but those two were the stand outs in this release.

Note this release contains a major security fix for those using the attachments plugin. Previous versions of this plugin allowed remote code execution using specially crafted zip files. Users are urged to upgrade as soon as possible.

New Features

Support outbound.pool_timeout of 0 to effectively disable pooling. #1561

One really useful way to use Haraka at a business is to be a local fast cache to forward on to mailchimp/sendgrid/SES or one of the many available transactional mail senders out there. These services offer bounce management, tracking, and also manage deliverability for you, and yet often their sending systems are slow, which can affect your app. By installing Haraka locally you can keep all those benefits, but have your system return from sending mail much faster.

Now edit `/var/apps/haraka/config/plugins` to define what Haraka plugins will get loaded. Here’s my simple config for this setup:

# this lets you view how much stuff your haraka instance is doing
process_title
# this lets you receive inbound mail, but is mostly not required
rcpt_to.in_host_list
# this is a custom plugin I'll detail below
relay_via_external
# this lets you configure who can relay (i.e. your app)
relay
# Check mail headers are valid
data.headers
# this lets you configure where inbound mail goes (also mostly not required)
queue/smtp_forward
# this is just a safety net
max_unrecognized_commands

Edit your `smtp.ini` file to make it listen on a higher port so you don’t have to listen on port 25 by setting the `listen=` line to: listen=[::0]:2525, and set the `nodes=` line to use as many CPUs as you think is reasonable for your setup.

Finally, copy this plugin into `/var/apps/haraka/plugins/relay_via_external`:

I haven’t bothered posting about the earlier 2.8.x releases (beyond 2.8.0) because they have mostly fixed small bugs that we introduced in the 2.8.0 release. This is the first release to add significantly new features.

Changes

The connection object is now passed to get_plain_passwd. Older modules should continue to work as-is.

The reseed_rng plugin now just uses the Crypto module from core. Though it seems this plugin should be irrelevant with newer versions of node.js

New Features

Outbound mail now uses pooled connections, only sending a QUIT message if the connection has been idle for a while.

Improvements

Shut down and reload (via haraka -c <path> --graceful) is now graceful – allowing current connections to finish and plugins to clean up before ending.